ClawHub

社区运营小助手

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Koubei Circle operations skill, but it gives an agent broad merchant-admin powers with weak local guardrails around data access, messaging, and credential storage.

Install only if you trust the publisher and intend to let an agent use a Koubei merchant key with broad operational authority. Treat scripts/config.json like a password, avoid pasting keys into shared terminals, manually review SQL queries, recipients, labels, points changes, uploads, and posts before execution, and rotate the merchant key if the local config or logs may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The reference exposes capabilities far beyond simple content operations, including direct SQL querying, account/identity management, labeling, bulk messaging, and points administration. In an agent skill context, documenting these powerful primitives without strong scope restrictions or authorization boundaries materially increases the risk of over-privileged use, sensitive data access, spam, and mass account manipulation.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The documentation requires user confirmation before publishing, but the CLI command shown can publish immediately and there is no described technical control enforcing that confirmation. In an agent-driven workflow, relying on instruction text alone is unsafe because an agent or wrapper can skip the confirmation step and perform unintended posting actions.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The README documents a generic SQL query capability against an external OpenClaw data source, which exceeds the stated merchant-operation scope of the skill. Even though this is documentation rather than executable code, advertising out-of-scope data querying can enable misuse, broaden operator expectations, and increase the chance that sensitive or unrelated datasets are accessed through the skill’s tooling.

Intent-Code Divergence

Low
Confidence
72% confidence
Finding
The documentation claims the API key is encrypted in storage, but the README provides no evidence for that guarantee and points to a local config file. Unsubstantiated security claims can cause operators to handle credentials less carefully, leading to insecure storage assumptions and accidental exposure if the implementation only stores the key in plaintext or weakly protected form.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill exposes schema discovery and arbitrary SQL execution through `tables` and `query`, which materially exceeds the stated merchant community-operations scope. In this context, raw SQL can enable unrestricted reads or modification of backend data if the API key has broad privileges, turning a posting automation tool into a database administration interface.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Accepting arbitrary SQL from CLI arguments and forwarding it to `/openclaw/query` is dangerous because it enables unrestricted database interaction through the skill. Given the skill's merchant-operations context, this capability is unnecessary and substantially increases the blast radius of credential misuse or operator error.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation phrases are broad everyday language such as asking to configure a key or send a post, which can overlap with normal conversation and cause unintended skill activation. In a skill that can store merchant credentials and perform write actions, accidental triggering increases the risk of unauthorized configuration changes, message sending, or other side effects based on ambiguous user input.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented bulk messaging, labeling, and upload capabilities can affect many users and may process personal data or untrusted content, yet the reference lacks visible safeguards such as consent checks, audience validation, rate limits, content scanning, or privacy warnings. In a merchant operations skill, these actions can readily be abused for spam, targeting, privacy violations, or distribution of unsafe files.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to initialize the tool with an API key but does not warn that the credential is sensitive or explain safe handling practices. This increases the likelihood of secrets being pasted into shell history, logs, screenshots, shared terminals, or improperly protected local files, which is especially relevant because the skill requires a merchant key to perform operations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The API key is persisted in plaintext in `scripts/config.json` without any warning, permission hardening, or secure storage mechanism. On shared systems or in accidentally committed project files, this can expose credentials that authorize sensitive posting, messaging, and administrative actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Appending the API key to URL query parameters is risky because URLs are commonly logged by proxies, servers, browser history, monitoring systems, and reverse proxies. This can leak credentials even when HTTPS is used, especially in operational environments with extensive request logging.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal